XenMobile Android Enterprise & iOS devices failed to enroll after ADC upgrade to 13.0-82.41+ or 12.1-62.23+
Article ID: CTX322608
Updated On:
Description
In a deployment of Citrix ADC (Gateway) + XenMobile Server on-premise.
When Citrix ADC upgrade to 13.0-82.41+ or 12.1-62.23+ version or
XenMobile Android Enterprise and iOS device enrollment will fail.
Environment
The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.
Resolution
Please refer to the following Citrix ADC doc to enable SSO configuration for XenMobile Gateway Virtual server.
https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html
GUI Configuration Guide:
CLI Configuration Guide:
https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html
GUI Configuration Guide:
- Part 1: Configure a traffic policy that enabled http SSO:
13. Navigate to Citrix Gateway > Policies > Traffic, select Traffic Profiles tab, and click Add.
- Part 2: After configured traffic policy, please bind it to XenMobile Gateway Virtual Server.
Navigate to Citrix Gateway> Virtual Servers, select XenMobile Gateway and Edit.
Then Scroll DOWN to the bottom to find Policies section to add binding a traffic policy:
Select the traffic policy we just created, for example named as vpn_tf_pol, then bind it with a high Priority value like 63000
Select the traffic policy we just created, for example named as vpn_tf_pol, then bind it with a high Priority value like 63000
CLI Configuration Guide:
Demo configuration commands follows:
//Creating traffic policy with SSO enabled
add vpn trafficaction vpn_tf_act http -SSO ON
add vpn trafficpolicy vpn_tf_pol true vpn_tf_act
//Binding traffic policy to XenMobile Gateway Virtual server
bind vpn vserver _XM_XenMobileGateway -policy vpn_tf_pol -priority 63000
//Creating traffic policy with SSO enabled
add vpn trafficaction vpn_tf_act http -SSO ON
add vpn trafficpolicy vpn_tf_pol true vpn_tf_act
//Binding traffic policy to XenMobile Gateway Virtual server
bind vpn vserver _XM_XenMobileGateway -policy vpn_tf_pol -priority 63000
Problem Cause
It's because ADC 13.0 after 13.0-82.41 and 12.1-62.23 has disabled weak SSO types like Basic/Digest/NTLM at global level as Security Enhancement.
We shall enable these SSO for XenMobile Gateway Virtual Server.
Issue/Introduction
ADC disabled weak SSO types globally.
Was this article helpful?
Yes
No
Powered by
